CurrentC, the mobile payment service that is challenging Apple Pay with funding from the largest U.S. retailers, has already been hacked, according to the Merchant Customer Exchange (MCX).
In an email sent on Wednesday to participants in CurrentC’s pilot program, MCX said unauthorized third parties had obtained the e-mail address of CurrentC users, though no other information was taken. The email also warned recipients of possible phishing attempts stemming from the theft.
“In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties,” MCX said. According to Mashable, MCX claims that the CurrentC app itself was not affected.
CurrentC, which is now in the beta-testing phase, uses QR codes to process payments at the register, unlike Apple Pay, which uses near-field communication (NFC) technology. Tech-watchers have raised questions about the wisdom of generating QR codes that link to consumers’ bank accounts, as CurrentC does. Apple Pay’s NFC system, meanwhile, is said to be more secure because it uses tokenization, replacing credit card information with a different number, called a token, generated by a secured cryptographic function.
Screengrab via CurrentC app
Analysts anticipate that CurrentC, which is set to launch in 2015, will see widespread use in the United States. Participating retailers are already taking steps to prevent their customers from using Apple Pay. Last week, Rite Aid and CVS, both members of the MCX consortium, disabled Apple Pay-compatible NFC equipment in their stores.
According to Business Insider, neither pharmacy will allow customers to use Google Wallet either, even though Google’s mobile payment system has been around for over two years.
— Adam (@Afbar1114) October 29, 2014
Unnamed sources at multiple MCX retailers told the New York Times this week that they signed a contract with MCX and faced “steep fines” for accepting mobile payments from CurrentC competitors such as Apple Pay.
MCX denied the existence of any such fines and claimed that retailers are simply not allowed to use their service and accept Apple Pay. “When merchants choose to work with MCX, they choose to do so exclusively and we’re proud of the long list of merchants who have partnered with us,” MCX said on its website.
“Importantly, if a merchant decides to stop working with MCX, there are no fines” (emphasis in original).
MCX counts among its members some of the nation’s largest retailers, many of whom have already fallen victim to cyberattacks targeting point-of-sale (POS) systems, including WalMart, Target, GAP, and Best Buy.
Update 6pm ET, 10.29.14: MCX CEO Dekkers Davidson defended CurrentC’s security during a conference call late Wednesday afternoon. He emphasized that the recent attack was “not a breach” of the CurrentC app itself and added that mostly dummy email addresses were affected. Moreover, Davidson repeated that MCX member retailers would not be penalized for adopting Apple Pay alongside CurrentC. “We have a great deal of respect for Apple, of course, and Apple Pay,” Davidson said. “We believe and our merchants believe we require two to three strong players in the space to build the ecosystem.” (h/t TIME)